Month of PHP bugs gets rolling

Developer Stefan Esser has launched his Month of PHP Bugs project with 11 bugs in five days, including an old flaw reintroduced in a new version of PHP and several known bugs he says are unlikely ever to be fixed.

Developer Stefan Esser has launched his Month of PHP Bugs project with 11 bugs in five days, including an old flaw reintroduced in a new version of PHP and several known bugs he says are unlikely ever to be fixed.

Esser and his collaborators published eight flaws in the first three days of the month, followed by another three on Sunday and Monday. Unlike similar, but unconnected, projects such as the Month of Kernel Bugs and the Month of Apple Bugs, "we do not enforce a one-vulnerability-per-day limit upon ourselves," Esser wrote on the site.

The project is designed to force PHP developers to improve security, and Esser kept up a steady stream of criticism of the way PHP security is handled. The three bugs published on the project's first day are those "that are already known but are not yet or will never be fixed", he said.

A cross-site scripting flaw, bug number eight, was disclosed in October 2005, fixed, but then reintroduced in PHP 4.4.3, Esser said.

The project focuses on the PHP standard distribution, but Esser included two "bonus" bugs that affect the Zend Platform, which runs on a web server, monitoring PHP applications and reporting on performance and possible problems.

Zend, which sponsors PHP development, has criticised Esser for his aggressive attitude toward PHP developers, but Esser said others have been supportive, with several developers volunteering their own zero-day flaws for publication.

"The reaction has been quite positive so far," he wrote in a blog post.